Accessing Lower-Level Untrusted Servers

Sometimes a client needs to be able to access a server on
an unlabeled system. An unlabeled system is a system that does not run the Trusted
Extensions software. In such a case, you cannot use multilevel ports because they
are restricted to privileged servers that run in the global zone or in
labeled zones.

For example, suppose your browser is running in the INTERNAL zone. You want
to access a web server that runs on a single-level network that
has been assigned the PUBLIC sensitivity label by means of the tnrhdb database. Such
access is not permitted by default. However, you could write a privileged proxy
server to forward the HTTP request to the PUBLIC web server. The proxy
should use a special Trusted Extensions socket option called SO_MAC_EXEMPT. This socket option permits
a request to be sent to an untrusted lower-level service, and permits the
reply from that service to be returned to the requester.

Note - The use of the SO_MAC_EXEMPT option represents an unprotected downgrade channel and should
be used very carefully. The SO_MAC_EXEMPT option cannot be set unless the calling process has
the PRIV_NET_MAC_AWARE privilege in its effective set. Such a process must enforce its
own data filtering policy to prevent leaking higher-level data to the lower-level service.
For example, the proxy should sanitize URLs to restrict words from being used
as values.

The following code excerpt demonstrates the use of SO_MAC_EXEMPT in a modified version
of the wget command's connect_to_ip() routine in connect.c. The call to setsockopt()
has been added to show how to set the SO_MAC_EXEMPT option.